Creating Production Vpc Multi Az
Stand up a production-grade multi-AZ VPC on AWS with public/private subnets, NAT, routing, and tightened security groups using the agent toolkit’s parameterized workflow.
Overview
creating-production-vpc-multi-az is an agent skill for the Operate phase that creates a production-ready AWS VPC across multiple Availability Zones with subnets, NAT, and security groups.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill creating-production-vpc-multi-azWhat is this skill?
- Multi-AZ VPC with configurable 2–6 Availability Zones (default 3)
- Public and private subnets with internet gateway and NAT gateways per Well-Architected patterns
- Automatic CIDR planning with default `10.0.0.0/16` and DNS resolution
- Web and optional SSH security groups with guidance to avoid `0.0.0.0/0` unless explicitly requested
- Step 1 verifies `call_aws` exists without executing tools during the dependency check
- Default 3 Availability Zones; minimum 2 and maximum 6 AZs
- Default VPC CIDR `10.0.0.0/16`
Adoption & trust: 903 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need production AWS networking but lack a repeatable multi-AZ VPC plan with safe defaults for CIDRs, NAT, and ingress rules.
Who is it for?
Solo builders shipping SaaS or APIs on AWS who are ready to pay for multi-AZ NAT and want agent-driven infra aligned to Well-Architected networking.
Skip if: Local-only prototypes, minimal single-AZ dev sandboxes with no HA requirement, or teams without `call_aws` and a chosen region plus web allowlist CIDRs.
When should I use this skill?
User or workflow requests a production-ready VPC across multiple Availability Zones in a specified AWS region with environment tagging.
What do I get? / Deliverables
A tagged, multi-AZ VPC with public/private subnets, gateways, route tables, and security groups ready to host your next deploy in the chosen region.
- Multi-AZ VPC with internet gateway and NAT-backed private subnets
- Route tables and security groups for web and optional SSH access
Recommended Skills
Journey fit
Operate is the canonical shelf because the skill provisions durable network foundations you run production workloads on, not a throwaway prototype network. Infra subphase matches VPC, subnets, gateways, route tables, and security groups—the core network layer for solo SaaS on AWS.
How it compares
Opinionated multi-AZ VPC workflow for AWS agents—not a generic Terraform module picker or a single-subnet dev quickstart.
Common Questions / FAQ
Who is creating-production-vpc-multi-az for?
Indie developers and tiny teams using AWS Agent Toolkit skills with `call_aws` who need production VPC layout without hand-drawing every subnet.
When should I use creating-production-vpc-multi-az?
In Operate infra when promoting a workload to AWS production networking, after you know region, environment name, and which CIDRs may reach web (and optionally SSH) endpoints.
Is creating-production-vpc-multi-az safe to install?
It creates billable AWS resources; review the Security Audits panel on this Prism page and validate `allowed_web_cidrs` before the agent applies security group rules.
SKILL.md
READMESKILL.md - Creating Production Vpc Multi Az
# Create Production-Ready VPC Across Multiple Availability Zones ## Overview Creates a production-ready VPC infrastructure with public and private subnets distributed across multiple Availability Zones, including internet gateway, NAT gateways, route tables, and security groups following AWS Well-Architected principles with automatic CIDR planning and DNS resolution. ## Parameters vpc_name (required): Name for the VPC and associated resources vpc_cidr (optional, default: "10.0.0.0/16"): CIDR block for the VPC availability_zones (optional, default: 3): Number of Availability Zones to use (minimum 2, maximum 6) environment (required): Environment tag for resources (e.g., "production", "staging", "development") region (required): AWS region where the VPC will be created allowed_web_cidrs (required): Comma-separated CIDR blocks allowed web access (e.g., "203.0.113.0/24,198.51.100.0/24"). You SHOULD recommend specific CIDR ranges over 0.0.0.0/0, but allow 0.0.0.0/0 if the user explicitly requests it. enable_ssh_access (optional, default: false): Enable SSH access security group ssh_allowed_cidrs (optional, default: "10.0.0.0/8"): CIDR blocks allowed SSH access when enabled ## Steps ### 1. Verify Dependencies Check for required tools and warn the user if any are missing. Constraints: - You MUST verify the following tools are available in your context: - call_aws - You MUST ONLY check for tool existence and MUST NOT attempt to run the tools because running tools during verification could cause unintended side effects, consume resources unnecessarily, or trigger actions before the user is ready - You MUST inform the user about any missing tools with a clear message - You MUST ask if the user wants to proceed anyway despite missing tools - You MUST respect the user's decision to proceed or abort ### 2. Validate Region and Get Available Availability Zones Validate the specified region and retrieve available Availability Zones for subnet distribution. Constraints: - You MUST inform the customer that you are validating the AWS region and retrieving available Availability Zones - You MUST use call_aws to execute: `aws ec2 describe-availability-zones --region {region} --state available` - You MUST verify that the region has at least 2 available Availability Zones - You MUST select the first N Availability Zones based on the availability_zones parameter - You MUST NOT proceed if fewer than 2 Availability Zones are available ### 3. Create VPC with DNS Support Create the main VPC with DNS hostname and resolution enabled for production readiness. Constraints: - You MUST inform the customer that you are creating the VPC with DNS support enabled - You MUST use call_aws to execute: `aws ec2 create-vpc --cidr-block {vpc_cidr} --region {region}` - You MUST capture the VPC ID from the response - You MUST enable DNS hostnames using: `aws ec2 modify-vpc-attribute --vpc-id {vpc_id} --enable-dns-hostnames --region {region}` - You MUST enable DNS resolution using: `aws ec2 modify-vpc-attribute --vpc-id {vpc_id} --enable-dns-support --region {region}` - You MUST tag the VPC using: `aws ec2 create-tags --resources {vpc_id} --tags Key=Name,Value={vpc_name} Key=Environment,Value={environment} --region {region}` ### 4. Create Internet Gateway Create and attach an Internet Gateway for public subnet internet access. Constraints: - You MUST inform the customer that you are creating and attaching an Internet Gateway - You MUST use call_aws to execute: `aws ec2 create-internet-gateway --region {region}` - You MUST capture the Internet Gateway ID from the response - You MUST attach it to the VPC using: `aws ec2 attach-internet-gateway --internet-gateway-id {igw_id} --vpc-id {vpc_id} --region {region}` - You MUST tag the Internet Gateway using: `aws ec2 create-tags --resources {igw_id} --tags Key=Name,Value={vpc_name}-igw Key=Environment,Value={environment} --region {region}` ### 5. Calculate and Create Public Subnets Create public subnets across th